LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2004

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2004

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: krb5/afs on SL 3.0.2 (x86_64) ?
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Fri, 10 Sep 2004 13:39:56 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (138 lines)

Well, the short answer is ... nope ... that didn't fix it.  At least not for
me.  I think I'm going to try and take their patch out and then just put in
your 3 line change, see if that fixes it.

Troy

Troy Dawson wrote:
> Hi Stephan,
> First off, my apologies for replying so late, it's not that I don't
> think this
> is important, I just haven't had any clear plan on which direction to go.
>
> Second off, my thanks to Patrick.  I was having a hard time in tracking
> this
> down, mainly because everytime I started something came up with higher
> priority.
>
> So what to do?
> Well, I guess the first thing is to check and see if it indeed does fix the
> problem.  I am compiling right now as I write this.
>
> What I really love is that above where they comment it out, it has the web
> page reference to why they did it.
> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
>
> Evidently, this is a "feature" and not a "bug" because it is
> "the behavior people seem to expect"
>
> So, it seems this is the second "feature" that RedHat has put into their
> kerberos that has just made me want to scream.
>
> So what to do?
>
> Well ... I'm thinking at least for starters, we have something in the
> contrib
> area that people can install that works.  But then we have to see how many
> people actually want this feature.
>
> Troy
>
> Stephan Wiesand wrote:
>
>> Hi Troy,
>>
>> Patrick looked into this, and found that the following patch to krb5
>> makes the pam_krb5afs.so module and kinit work (give you an AFS token
>> in addition to K4/K5 tickets):
>>
>> --- src/include/kerberosIV/des.h        1999-09-24 23:16:08.000000000
>> +0200
>> +++ ../krb5-1.2.7.new/src/include/kerberosIV/des.h      2004-09-07
>> 14:39:51.000000000 +0200
>> @@ -54,7 +54,8 @@
>>  #define NEAR
>>  #endif
>>
>> -#ifndef __alpha
>> +//#ifndef __alpha
>> +#if 0
>>  #define KRB4_32        long
>>  #else
>>  #define KRB4_32        int
>>
>> What actually fails is the clock skew test in pam_krb5afs.so.
>>
>> At first glance, it seems this was overlooked. But scrutiny of the
>> krb5.src.rpm reveals that it's much worse: There's a Patch37 with this
>> problem fixed and some similar ones as well, and it was backed out.
>> From krb5.spec:
>>
>> # Reverted, per
>> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
>> # %patch37 -p1 -b .32
>>
>> Hence this is broken deliberately. I guess (haven't tried yet) rebuilding
>> krb5 with patch37 enabled, and rebuilding anything that includes
>> <kerberosIV/des.h> afterwards, will make things work. But at least in
>> some respect, this would no longer be a "RHEL compatible" system.
>>
>> One could probably build pam_krb5afs.so against a different build of
>> krb5,
>> use the 32bit versions of afslog/aklog, and keep stuffing holes as they
>> show up, but I don't like that idea too much either.
>>
>> Any ideas?
>>
>> Cheers,
>>         Stephan
>>
>>
>> On Tue, 17 Aug 2004, Troy Dawson wrote:
>>
>>
>>> *Troy sits with a puzzled look on his face*
>>> I really could have sworn that this had worked for me.  Really, I
>>> tested it.
>>> But now it isn't.  I can only think that maybe I already had some AFS
>>> tokens
>>> and I was just regrabbing them.
>>>
>>> I hearby pull out my "works for me".
>>>
>>> I so far have found at least one problem.  After getting a kerberos
>>> ticket, if
>>>  I do just a
>>>  /usr/bin/aklog
>>> I get a
>>>  Segmentation fault
>>> So clearly  the /usr/bin/aklog isn't working as it should.
>>> I'm investigating.
>>> Troy
>>
>>
>>
>> --
>>
>>  ----------------------------------------------------
>> | Stephan Wiesand  |                                |
>> |                  |                                |
>> | DESY     - DV -  | phone  +49 33762 7 7370        |
>> | Platanenallee 6  | fax    +49 33762 7 7216        |
>> | 15738 Zeuthen    |                                |
>> | Germany          |                                |
>>  ----------------------------------------------------
>
>
> --
> __________________________________________________
> Troy Dawson  [log in to unmask]  (630)840-6468
> Fermilab  ComputingDivision/CSS  CSI Group
> __________________________________________________

--
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV